The Privacy Professional

In the EU, individual privacy and data protection have been a fundamental rights for quite some time and is now a way of life under GDPR .  Data protection in the U.S. is a fairly new concept. In 2003, California was the first state to pass a data protection law. Since then, 48 other states have followed suit by passing data protection laws that protect the personal data of their respective residents. South Dakota is not the last state, but by passing SB 62 in February of this year it is still pretty late to the data protection party. Class of the protected individuals The bill applies to individuals residing in the state. Individual Rights Individuals have the right to have their personally identifiable information (PII) from being acquired by an unauthorized parties (breach ). PII is defined as “ computerized data ” consisting of first name (or first initial) and last names AND one of the following : Identification number (such as social security numbers

What is Personal Data? In the US personal data is known as personally identifiable  information (PII).   Generally, it is defined as information that can be reasonably linked to an individual, using persistent identifiers.  Federal and State statutes determine a more specific definition of PII (GLBA, HIPAA, Privacy Act, ect). For example, under HIPAA there are 18 points of personally identifiable information . The pieces of identifiable information are as follows:  Name, address, city, county, zip, precinct, DOB, admission date, discharge date, date of death, ages over 80, Telephone/Fax #, Email address, SSN, Medical record #, Health plan #, Account#, Certificate/license #, Vehicle (VIN, Plate#), Device ID and Serial #, URL, Biometric ID (finger print, voice print), Full-face photographs,  and ny other unique identifiers. In the   EU (GDPR), personal data is defined as data related to an identifiable natural person, who can be identified (directly or indirectly) by reference

Health Information Technology for Economic and Clinical Health (HITECH) is the also known as the HIPAA (healthcare) security Rule. The purpose of this rule is to ensure the confidentiality, integrity and availability (CIA) of all Personal Health Information (PHI) the Covered Entity (CE) and or Business Associate (BA) creates, receives, maintains and transmits. In order to achieve this, the CE or BA must implement safeguards. An example of a physical safeguard are locks on a door. An example of a administrative safeguards is a Privacy Officer assigning role base access of PHI for employees. So that only employees who are involved in the patients care can access the PHI of that patient. Technical Safeguards include : configured computer servers and the encryption of PHI during transmission or at rest.  Further, HITECH requires CEs to provide notice to individuals IF there is an unauthorized disclosure of that PHI and there a risk of harm that exposure o

HIPAA regulations make up two main parts: The Privacy (HIPAA) Rights of individuals related to their Personally Healthcare Information (PHI) and the Security (HITECH) of the healthcare information held by Covered Entities .  The Privacy Rule requires covered entities to provide individuals with a copy of their notice of privacy practices, at the first visit/date of service. Covered Entities must be able to prove that patients received these notices; thus they generally require individuals to sign a document called "receipt of notices of privacy practices." These notices must contain information on how the covered entity's   use   and disclosures of the PHI. For example, there should be   a statement   that the PHI will be used consistent with payment of claims, treatment of the individual and for business operations (quality control, auditing or internal monitoring). In addition, the notice should contain information on instances when a signed release would be re